Failure to Secure Resident and Staff Protected Information After Shed Break-In
Penalty
Summary
The facility failed to protect and secure protected health information (PHI) for residents and private information for staff when two of seven storage sheds were broken into and remained unsecured for several days. During an observation, it was found that one shed was missing a door and was covered only by a wooden board, while the other had a door but no lock. Inside the first shed, there were filing cabinets containing over 200 files with resident medical records, including names, dates of birth, social security numbers, and medical diagnoses, as well as employee files with personal and employment information. The filing cabinets themselves were also not locked. Interviews with facility staff, including the Environmental Service Director (ESD), Medical Records Director (MRD), Assistant Director of Nursing (ADON), Director of Nursing (DON), and Administrator (ADM), revealed that several were unaware that the sheds contained PHI and staff private information. The ESD stated he did not know the contents of the sheds and that the sheds had remained unlocked since the break-in. The MRD, ADON, and DON all acknowledged that PHI and private information should be kept confidential and secure, and that it was unacceptable to store such information in an unsecured location. The ADM stated he had been informed by a previous Human Resources Manager that the sheds did not contain PHI or private information, and that staff should have inspected the filing cabinets to ensure the information was protected. A review of the facility's policy and procedure confirmed that all personnel are responsible for managing and protecting resident and facility information to prevent unauthorized release or disclosure. The HIPAA Privacy Rule was also referenced, which requires appropriate safeguards to protect the privacy of PHI. The failure to secure the sheds and filing cabinets containing sensitive information was directly observed and confirmed by multiple staff members.